CVE-2019-11291

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

Published: Nov 23, 2019
Updated: May 9, 2024
CVE: CVE-2019-11291
GHSA: GHSA-9pf7-f47q-mwpq
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.8
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
vmware / rabbitmq	1.16.0	1.16.7
vmware / rabbitmq	1.17.0	1.17.4
redhat / openstack	15	15.x
rabbit_common	3.7.0	3.7.20
rabbit_common	3.8.0	3.8.1
broadcom / rabbitmq_server	3.8.0	3.8.0.x
broadcom / rabbitmq_server	3.7.0	3.7.20

Vulnerability Database

289,599

CVE-2019-11291